On Wed, Jul 02, 2003 at 01:23:48AM +0200, Kenny Gryp wrote: > Will this produce a problem, when it's sent to every other interface, pf will get > the packet twice, > _but_ it will block the 'illegal' one (the one to rl1) and will return a packet with > R flag set > (Reset)? So the connection gets refused because of that 'illegal' packet?
That's possible, if the bridge hasn't learned yet through which interface to reach a mac address. Run tcpdump on the client, printing all packet from/to the server. If you see both a SYN+ACK and an RST, that would confirm that theory. If that's the case, either don't return-rst when blocking these packets, or filter incoming connections only on the external interface, so they don't get broadcast and blocked later on. But you'd only see this for the first connection, afterwards the bridge has learned the destination and shouldn't broadcast anymore. You can run tcpdump on the bridge (on all interfaces), and you'll see whether packets are broadcast by the bridge... Make sure you enable debug logging in pf (pfctl -xm, see /var/log/messages). Might be just a broken client that's re-using the source port too early, causing pf to drop the second connection. In short, tell us where the bridge is sending what packets with pf disabled, and which packets on what interfaces do get blocked when you enable pf, by running tcpdump on all interfaces. Daniel
